CVE-2018-1000534
Description
Joplin version prior to 1.0.90 contains a XSS evolving into code execution due to enabled nodeIntegration for that particular BrowserWindow instance where XSS was identified from vulnerability in Note content field - information on the fix can be found here https://github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89 that can result in executing unauthorized code within the rights in which the application is running. This attack appear to be exploitable via Victim synchronizing notes from the cloud services or other note-keeping services which contain malicious code. This vulnerability appears to have been fixed in 1.0.90 and later.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joplin prior to 1.0.90 allows XSS via malicious note content, escalating to arbitrary code execution due to enabled nodeIntegration in the editor window.
Vulnerability
Joplin versions prior to 1.0.90 contain a cross-site scripting (XSS) vulnerability within the note content field. The application uses Electron's BrowserWindow with nodeIntegration enabled, allowing JavaScript embedded in note content to execute beyond the sandbox. The vulnerability arises because HTML tags other than the allowed `` are not sufficiently sanitized, as indicated by the fix commit [3]. Affected versions: all Joplin releases before 1.0.90 [1].
Exploitation
An attacker crafts a note containing malicious HTML/JavaScript and delivers it to a victim through cloud synchronization services (e.g., Nextcloud, Dropbox, OneDrive) or other note-keeping services that Joplin syncs with [1]. When the victim opens the malicious note in the desktop application, the embedded script executes within the Electron context. No additional user interaction beyond viewing the note is required; the XSS payload fires automatically upon rendering.
Impact
Successful exploitation allows the attacker to execute arbitrary code with the same privileges as the Joplin application. This can lead to full compromise of the victim's system, including unauthorized access to local files, credentials, and other notes synced to the same account. The attack achieves information disclosure, file manipulation, and potential remote code execution due to the privileged Electron environment [1].
Mitigation
Users should upgrade to Joplin version 1.0.90 or later, which includes the fix committed in commit 494e235 [3]. The fix enforces HTML sanitization, disallowing arbitrary HTML tags in note content. No workarounds are known for unpatched versions; however, disabling synchronization with untrusted cloud services may reduce attack surface. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the public disclosure date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
joplinnpm | < 1.0.90 | 1.0.90 |
Affected products
1Patches
1494e235e1865Electron: Resolves #500: Fixed XSS security vulnerability
3 files changed · +17 −8
docs/index.html+9 −7 modified@@ -454,6 +454,8 @@ <h2 id="checkboxes">Checkboxes</h2> - [ ] Rice - [ ] Eggs </code></pre><p>The checkboxes can then be ticked in the mobile and desktop applications.</p> +<h2 id="html-support">HTML support</h2> +<p>Only the <code><br></code> tag is supported - it can be used to force a new line, which is convenient to insert new lines inside table cells. For security reasons, other HTML tags are not supported.</p> <h1 id="donations">Donations</h1> <p>Donations to Joplin support the development of the project. Developing quality applications mostly takes time, but there are also some expenses, such as digital certificates to sign the applications, app store fees, hosting, etc. Most of all, your donation will make it possible to keep up the current development standard.</p> <p>Please see the <a href="https://joplin.cozic.net/donate/">donation page</a> for information on how to support the development of Joplin.</p> @@ -499,14 +501,14 @@ <h1 id="localisation">Localisation</h1> <td><img src="https://joplin.cozic.net/images/flags/country-4x3/hr.png" alt=""></td> <td>Croatian</td> <td><a href="https://github.com/laurent22/joplin/blob/master/CliClient/locales/hr_HR.po">hr_HR</a></td> -<td>Hrvoje Mandić <a href="mailto:trbuhom@net.hr">trbuhom@net.hr</a></td> +<td>Hrvoje Mandić <a href="mailto:trbuhom@net.hr">trbuhom@net.hr</a></td> <td>61%</td> </tr> <tr> <td><img src="https://joplin.cozic.net/images/flags/country-4x3/cz.png" alt=""></td> <td>Czech</td> <td><a href="https://github.com/laurent22/joplin/blob/master/CliClient/locales/cs_CZ.po">cs_CZ</a></td> -<td>Lukas Helebrandt <a href="mailto:lukas@aiya.cz">lukas@aiya.cz</a></td> +<td>Lukas Helebrandt <a href="mailto:lukas@aiya.cz">lukas@aiya.cz</a></td> <td>95%</td> </tr> <tr> @@ -520,7 +522,7 @@ <h1 id="localisation">Localisation</h1> <td><img src="https://joplin.cozic.net/images/flags/country-4x3/de.png" alt=""></td> <td>Deutsch</td> <td><a href="https://github.com/laurent22/joplin/blob/master/CliClient/locales/de_DE.po">de_DE</a></td> -<td>Philipp Zumstein <a href="mailto:zuphilip@gmail.com">zuphilip@gmail.com</a></td> +<td>Philipp Zumstein <a href="mailto:zuphilip@gmail.com">zuphilip@gmail.com</a></td> <td>98%</td> </tr> <tr> @@ -534,7 +536,7 @@ <h1 id="localisation">Localisation</h1> <td><img src="https://joplin.cozic.net/images/flags/country-4x3/es.png" alt=""></td> <td>Español</td> <td><a href="https://github.com/laurent22/joplin/blob/master/CliClient/locales/es_ES.po">es_ES</a></td> -<td>Fernando Martín <a href="mailto:f@mrtn.es">f@mrtn.es</a></td> +<td>Fernando Martín <a href="mailto:f@mrtn.es">f@mrtn.es</a></td> <td>99%</td> </tr> <tr> @@ -548,7 +550,7 @@ <h1 id="localisation">Localisation</h1> <td><img src="https://joplin.cozic.net/images/flags/country-4x3/es.png" alt=""></td> <td>Galician</td> <td><a href="https://github.com/laurent22/joplin/blob/master/CliClient/locales/gl_ES.po">gl_ES</a></td> -<td>Marcos Lans <a href="mailto:marcoslansgarza@gmail.com">marcoslansgarza@gmail.com</a></td> +<td>Marcos Lans <a href="mailto:marcoslansgarza@gmail.com">marcoslansgarza@gmail.com</a></td> <td>95%</td> </tr> <tr> @@ -569,14 +571,14 @@ <h1 id="localisation">Localisation</h1> <td><img src="https://joplin.cozic.net/images/flags/country-4x3/br.png" alt=""></td> <td>Português (Brasil)</td> <td><a href="https://github.com/laurent22/joplin/blob/master/CliClient/locales/pt_BR.po">pt_BR</a></td> -<td>Renato Nunes Bastos <a href="mailto:rnbastos@gmail.com">rnbastos@gmail.com</a></td> +<td>Renato Nunes Bastos <a href="mailto:rnbastos@gmail.com">rnbastos@gmail.com</a></td> <td>97%</td> </tr> <tr> <td><img src="https://joplin.cozic.net/images/flags/country-4x3/ru.png" alt=""></td> <td>Русский</td> <td><a href="https://github.com/laurent22/joplin/blob/master/CliClient/locales/ru_RU.po">ru_RU</a></td> -<td>Artyom Karlov <a href="mailto:artyom.karlov@gmail.com">artyom.karlov@gmail.com</a></td> +<td>Artyom Karlov <a href="mailto:artyom.karlov@gmail.com">artyom.karlov@gmail.com</a></td> <td>94%</td> </tr> <tr>
ReactNativeClient/lib/MdToHtml.js+4 −1 modified@@ -389,7 +389,7 @@ class MdToHtml { const md = new MarkdownIt({ breaks: true, linkify: true, - html: true, + html: false, // For security, HTML tags are not supported - https://github.com/laurent22/joplin/issues/500 }); // This is currently used only so that the $expression$ and $$\nexpression\n$$ blocks are translated @@ -435,6 +435,9 @@ class MdToHtml { } } + // Support <br> tag to allow newlines inside table cells + renderedBody = renderedBody.replace(/<br>/gi, '<br>'); + // https://necolas.github.io/normalize.css/ const normalizeCss = ` html{line-height:1.15;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}
README.md+4 −0 modified@@ -253,6 +253,10 @@ Checkboxes can be added like so: The checkboxes can then be ticked in the mobile and desktop applications. +## HTML support + +Only the `<br>` tag is supported - it can be used to force a new line, which is convenient to insert new lines inside table cells. For security reasons, other HTML tags are not supported. + # Donations Donations to Joplin support the development of the project. Developing quality applications mostly takes time, but there are also some expenses, such as digital certificates to sign the applications, app store fees, hosting, etc. Most of all, your donation will make it possible to keep up the current development standard.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-m6mf-hmrh-ph4jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1000534ghsaADVISORY
- github.com/laurent22/joplin/commit/494e235e18659574f836f84fcf9f4d4fcdcfcf89ghsax_refsource_MISCWEB
- github.com/laurent22/joplin/issues/500ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.